security
17696 TopicsF5 & TACACS communication
Hello Community, I am currently working to find RCA for an issue in which during Datacentre fail-over testing, we unable to to login to F5 and assuming their is communication issue between F5 and TACACS Server, and I have a few questions regarding how the authentication process works and how failover occurs when the primary TACACS server is unavailable. Here are my questions: Packet Exchange: How does TACACS function at the packet level when F5 sends authentication requests? What types of packets are exchanged between F5 and the TACACS server during authentication? Failover to Secondary TACACS Server: When the primary TACACS server is down or unreachable, how does F5 detect this and automatically send authentication requests to the secondary TACACS server? What type of packets and log entries should we see on the F5 side when this occurs? Timeout and Retry Behavior: How many retry attempts does F5 make before switching to the secondary TACACS server? How long does F5 wait before retrying, and is this configurable? I would appreciate any insights, best practices, or references to relevant documentation that can help clarify these points. Even packet capture also helps as this is not feasible for me to reproduce issue. Thanks in advance for your help! Best regards, Pradeep17Views0likes1Commentmalformed tcp and udp with 0 port
hi , how to stop malformed tcp and udp with 0 port attack in AFM. does this Irule work when CLIENT_DATA { if {[UDP::local_port] == 0 || [UDP::remote_port] == 0} { log local0. "Dropped UDP packet with port 0" drop } } when CLIENT_ACCEPTED { if {[TCP::local_port] == 0 || [TCP::remote_port] == 0} { drop } }29Views0likes1CommentHow are memory and disk allocated to different modules on bigip appliance?
hi, when doing "Resource Provisioning", the memory and disk space are auto allocated to LTM and ASM are shown as below. The amount of Memory and disk is minimum requirement, right? When a huge number of virtual server will be created later, will appliance auto allocate more spare memory and disk to the module? And what is he management module responsible for? Is it responsible for packet forwarding? should we set "Provisioning" to "Medium" or "Large" if the throughput is larger than 1Gbps? Can someone please advise? thanks in advance!15Views0likes1CommentAPM Logon page logs
We are having a brute force username guessing attack but we can not analyze properly where it comes or since when it started. We don't have locally enough logs to generate reports for a Month. Therefore we want to use our SIEM for it. Unfortunately the logs needs to be correlated separtely to get the username, date and IP from the same session. Anyone could acomplished that in your syslog SIEM?45Views0likes4Commentsports are showing open on online scanning tool
In our case F5 sited as a front facing device both the links are terminated on F5 device and incoming and outgoing traffic going through out F5 DNS Incoming: Client-->F5-->SW-->FW-->DMZ Outgoing: DMZ-->FW-->SW-->F5-->Client We have enabled port lockdown “Allow none ” for self IP then we have concern about why this ports are showing open on online scanning tool? Could you please confirm -Do we need to implement any additional policies to block all ports for the public IP? Thanks, PoojaSolved124Views1like10CommentsBig IP AWAF and Kubernetes
Hi, Looking for some clarity or a specific technical document. I have an existing Big IP virtual appliance A "new" Kubernetes cluster (my knowledge is minimal) A customer requirement is the cluster needs to be behind a WAF, OWASP compliant Seemed logical to update the F5, to include the ASM module (on a higher spec appliance). My assumption is: Its just a case of creating a Virtual server in LTM Creating a security policy and attaching to the LTM Virtual server Is there anything other considerations or more importantly show stoppers Thanks in advance Simon1View0likes0Commentswhy the gtm probing result is not shown on debug log?
hi ,we encounter some gtm wideip pool monitoring issue. then I tried to turn on the debug for gtm logging. The log captured for pool member status monitoring is shown as below only. There is no result about the probing, why? Can someone please advise on it? thanks in advance. debug gtmd[6034]: 011ae039:7: Check probing of IP:Port 10.50.62.252:8833 in DC /Common/DC-NY debug gtmd[6034]: 011ae03b:7: Will probe 10.50.62.252:8833 in DC /Common/DC-NY31Views0likes1CommentPCI and Partitions
Can I satisfy a PCI audit with PCI and NonPCI servers on the same LTM-VE by using partitions ? any doc from F5 supporting this ? [ already segregated - each partition with it's own network interface ] We brought a system back in-house from an outside hosting company, they had implemented partitions to allow running the PCI and NonPCI environments on the same F5.34Views0likes2Comments